I’ve just realised that I’d forgotten to talk about this subject. I remembered about it after reading Taylor Brown’s blog about unbinding TCP from the physical NIC that virtual machines are using on a Hyper-V host.
During my testing of our cluster I had to simulate a real environment. For us, that’s lots of virtual networks that are secured using physical firewall rules. The virtual networks are created on the physical network using VLAN’s and in Hyper-V using VLAN tagging. We do this by tagging the virtual machine at the host level.
When I originally set up the hosts I didn’t do anything special to the local area connections in Windows networking that represent the physical NIC’s the VM’s use to communicate with the physical network. After some testing I soon found a problem. My host was getting DHCP addresses from one of my virtual test networks. How in the hell did that happen? Simple. TCP was still bound to the physical NIC. The NIC was on the same broadcast domain as one of the virtual networks. That’s a serious security issue.
The solution is simple. As you probably know, any NIC that is used for virtual networking should be dedicated purely to virtual networking. The parent partition (host OS) should have dedicated NIC(s) for management and security purposes, e.g. different VLAN and not prone to being congested due to VM OS/application misbehaviour. You should then unbind TCP from your NIC’s that are dedicated to virtual networking. This in no way affects the host nor the VM’s. And Taylor Brown also recommends unbinding any other network protocol that you happen to add to the parent partition.
Now, your host partition is completely isolated network-wise from the virtual networks that it’s guest VM’s are bound to. This allows you to create secured VLAN’s via tagging for your VM’s, e.g. a VM can be on a network that is isolated via firewall rules from the parent partition.
Hi Aidan
First, your IT blog is really informative with a lot new MS stuff. Thanks…
Secondly, do you know how to unbind TCP from the Physical NICs on a "Server Core platform"?.
Your blog-post reminded me, that this was a bullet-point on my to-do-list.
Kind regards
Jesper
You can just disable the vNIC, which seems safer and easier (on core anyway)
http://blog.vistanetworks.ca/2008/06/07/server-core-2008-find-rename-enabledisable-your-network-adapter/
Hi Dave
Thanks for your input. I have just made a test and it works. I guess I have to read up on basic Hyper-V networking :-).
Also I found this statement below:
When Hyper-V is configured with a Virtual Network that is connected to a physical NIC (External) the network components on the physical NIC
are all unselected except for the "Microsoft Virtual Network Switch Protocol".
A new virtual NIC is created to allow the host to communicate with the VMs via a virtual switch.
This virtual NIC on the host can be disabled and the VMs can still access the physical network.
So, in Server Core the only thing that needs to be done in a multi-NIC situation is to disable the new virtual NIC
that gets created because by default it is setup for DHCP and will get an IP number from a DHCP server if available.
In addition the NICs could be renamed to reflect if they are assigned to the host or the guests.
http://social.technet.microsoft.com/Forums/en-US/winservercore/thread/94bd0b5f-58fe-4ff7-9ffe-8f5ad97ac0fd/
Dave I think this is the best way to do it, thanks again.
To bad that there are no "best pratice" from MS about this issue.
/Jesper
Hi I want to unbind physical NIC from virtual switch in hyper-v win 10
help me if possible
thanks
Edit the switch settings and either change the NIC or switch to an Internal or private vSwitch.